This sends a clear message that GDPR regulators are serious about pursuing non-European entities
As Europe's tough new privacy law begins to bite, the British regulator has fired their first shot across the bow of foreign companies processing European personal data.
The UK Information Commissioner’s Office (ICO) has filed an enforcement notice under the GDPR (General Data Protection Regulation) against Canadian data analytics firm, AggregateIQ Data Services Ltd (AIQ).
This sends a clear message to foreign companies that Europe’s regulators are prepare to pursue entitles anywhere in the world for breaching the GDPR.
As breaches go, the facts are heading towards the extreme end of the spectrum: The commissioner’s notice ordered AIQ to cease processing UK and EU personal data obtained from pro-Brexit political organisations within 30 days. According to the BBC, pro-Brexit organisations paid AIQ nearly £3.5 million to target prospective voters with political ads on social media during the referendum campaign.
AIQ is alleged to have close links to Cambridge Analytica – the data firm embroiled in a scandal earlier this year for harvesting data from 50 million Facebook users without their permission, and using the information to target US voters with personalised political advertising.
Failing to comply with the ICO’s notice could result in penalties of up to €20 million, or 4 per cent of world turnover, whoever is the higher. AIQ denies any wrongdoing and has appealed.
Top 5 takeaways for Kiwi firms
GDPR regulators are serious about pursuing non-European entities
Serving the enforcement notice on a non-European entity demonstrates both the GDPR’s extraterritorial reach.
Few New Zealand organisations are likely to be involved in political campaigns with the potential to influence the democratic outcomes of other countries. But the notice should serve as a wake-up call to organisations around the world that process European personal data. Are you prepared to risk €20 million plus fines and significant reputation damage by choosing to believe geographical distance negates any real likelihood of being penalised for GDPR non-compliance?
Online ‘monitoring’ could trigger your GDPR exposure
In the absence of an EU establishment, the ICO’s basis for applying the GDPR to AIQ was its “monitoring of behaviour” of EU individuals. You will be “monitoring” if you track individuals online (eg, using cookies), including profiling individuals to analyse or predict “personal preferences, behaviours and attitudes”. This covers a wide range of online marketing and personalisation activity.
The enforcement notice does not discuss why AIQ’s activities were considered to be monitoring. But it shows you cannot overlook this trigger for applying the GDPR, particularly in the borderless world of the internet.
You must determine your lawful basis for processing
Processing personal data is lawful under the GDPR only if one of six grounds applies, including consent and performance of a contract. Unhelpfully, the enforcement notice does not detail why none of those grounds applied to AIQ. Compliance requires analysis of your different types of data, a determination of the applicable lawful basis for processing of each, documentation of those decisions to meet your accountability obligations and transparent communication of your lawful grounds to individuals.
Transparency is key
This can be challenging in practice. Have you considered and addressed how to communicate the requisite privacy information to individuals whose data you are using but with whom you don’t have a direct relationship?
Fines are not the only risk
There is a growing view that “cease processing orders” could be one of the most powerful tools in EU regulators’ toolkit.
Ordering an organisation to stop processing personal data could have a debilitating impact on its ability to conduct business. How would your business fare if you were forced to stop using all personal data of your European customers and/or employees?
How would your business fare if you were forced to stop using all personal data of your European customers and/or employees?
Potentially even more damaging than fines or other regulatory orders is the brand and reputational harm associated with GDPR non-compliance. The heightened global privacy debate and the ever-increasing awareness of individuals’ privacy rights makes this a real, tangible risk despite potential questions as to the ability to actually enforce GDPR orders outside Europe.
What should you be doing to manage your GDPR risk?
- Assess whether the GDPR really applies. Do you have a presence in Europe? If not, do your European activities trigger the GDPR, including online monitoring? Conversely, a risk-based analysis determining the GDPR does not, in fact, apply (or does not apply to certain parts of your business) could save substantial compliance costs.
- Undertake a GDPR gap analysis to help you prioritise and take a risk-based approach to compliance.
- Understand the extent of your online monitoring. Online advertising and targeting can involve multiple partners in a complex web of relationships. You need to understand the extent to which you are “monitoring the behaviour” of EU data subjects and conduct a Privacy Impact Assessment to determine the extent of your risk.
- Establish your lawful bases for processing personal data. Particularly if you are relying on “legitimate interests”, requiring a balancing of your interests against those of data subjects.
Frith Tweedie is Digital Law Leader at EY Law
Get the latest on digital transformation: Sign up for CIO newsletters for regular updates on CIO news, career tips, views and events. Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.